IT Freedom Blog

Google's New Password Checkup Extension

After every major password breach comes new security features, and now, after the release of Collection #1...and #2, #3, #4, and #5, comes Google’s newest innovation to help secure your passwords and let you know if they’ve been compromised. We mentioned Collection #1 in our January Updates blog a few weeks ago, but in case you’re unfamiliar, last month the largest collection of user login credentials was uploaded to the “Have I Been Pwned?” website, revealing millions of usernames and passwords. So Google’s latest Chrome extension, is designed to help you discover if any of your user accounts have been affected by previous breaches, and alert you so that you can change them. Say hello to Password Checkup.

What is Password Checkup?

On February 5th Google rolled out its newest innovation in password protection. The Google Password Checkup extension. Google has been attempting to help users with password protection for the past few years by automatically resetting the Google account password for any account they believe has been compromised from a breach. This is a security strategy they say “has helped [them] protect 110 million users in the last 2 years. So what is this new extension? It’s a way to check if ANY accounts, not just your Google account, you’re logging into while using Chrome, have possibly been compromised in a previous data breach. Password Checkup was developed with Stanford cryptography experts to uphold the highest levels of security and give you the most accurate information when it comes to your passwords.

How does the extension work?

After you’ve installed the Password Checkup extension, Google will alert you to possibly compromised passwords and indicate that you should change your passwords. The extension will only alert to compromised passwords that are checked against previously released lists of breached passwords. The extension will not trigger an alert for outdated, or simply weak passwords (although you should change those too because having weak passwords is another giant security risk).

Can Google see my passwords?

Since Google is checking your passwords against previously breached login credentials the question to whether or not Google is now storing those passwords, or even if they have access to them in general, is a logical question. But the answer is no. Those Stanford cryptography experts we mentioned, were brought in by Google to help ensure that they cannot see or store any of your passwords. None of your login credentials are stored, no personal information is revealed to Google, and everything is anonymous. How do they do this? Well, the extension sends a strongly hashed and encrypted version of the login credentials to Google to check against a list of previous breaches. This protocol ensures everything stays anonymous. Password Checkup was also designed to prevent attackers from abusing the extension in order to reveal usernames and passwords.

Source: Google

What do I do after I receive an alert?

This is a pretty simple question to answer. Change your password on that website...and if you’ve used those credentials on any other website change it there as well! We always recommend using a password manager to keep track of your passwords so you can make sure you’re using different, and unique passwords for every website.

If you have started using Password Checkup, and have opinions or thoughts on the extension, let us know in the comments, or on our Facebook, and Twitter!